[Freeipa-users] Upgrade from 3x to 4x cant create first replica.
Chris Mohler
cmohler at oberlin.edu
Tue Feb 10 13:38:32 UTC 2015
On 02/09/2015 11:36 AM, Martin Kosek wrote:
> On 02/09/2015 05:16 PM, Chris Mohler wrote:
>> On 02/09/2015 10:18 AM, Martin Kosek wrote:
>>> On 02/07/2015 12:27 AM, Chris Mohler wrote:
>>>> I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
>>>> 6.6. It's currently the only master for my domain. I have about 4k user
>>>> accounts on here and it's a live system called "idm"
>>>>
>>>> I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
>>>> (clients can't auth unless service sssd is restarted multiple times "10 (User
>>>> not known to the underlying authentication module") I think this is possibly
>>>> unrelated and the topic for another thread.
>>>>
>>>> I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
>>>> "ipa"
>>> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
>>> in, so you can also use that platform if you are used to it.
>>>
>>>> on the master "idm" I ran "ipa-replica-prepare" and transfered the file to the
>>>> future replica "ipa" Then I ran the install replica script ipa-replica-install
>>>> --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
>>>> Things went well until it failed
>>>>
>>>> [24/35]: setting up initial replication
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress, 133 seconds elapsed
>>>> Update in progress yet not in progress
>>>>
>>>> Update in progress yet not in progress
>>>>
>>>> Update in progress yet not in progress
>>>>
>>>> [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
>>>> abortedLDAP error: Referral]
>>>>
>>>> [error] RuntimeError: Failed to start replication
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Please help I'm getting nowhere by myself.
>>> Can you please look on the master you are replicating from and look for errors
>>> in /var/log/messages or DS errors log?
>>>
>>> Maybe you will see messages like "ns-slapd: encoded packet size too big (xxxxxx
>>>> 65536)" that are know to pop up more with CentOS 6.6.
>> Hi Martin,
>> Thanks for the reply and help I appreciate it.
>>
>>> Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
>>> in, so you can also use that platform if you are used to it.
>> Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
>> Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
>> uncomfortable with either version.
>>
>> That Said. Is there any reason that I could or should not have a replica on a
>> Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
>> more the merrier.
> It should just work. Just note that in case of Fedora Server, these are
> upstream/Fedora bits which are only tested upstream. So if you for example
> break something in Fedora 21 (not likely to happen though ;-) and then get the
> change *replicated* to RHEL production instance, I do not think Red Hat support
> would be happy with that.
>
> Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
> your production RHEL instance is it would upgrade all the data for 4.2 level -
> which should get more downstream testing before Red Hat can rubber stamp it.
>
> TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
> knock yourself out :-)
>
>>> Can you please look on the master you are replicating from and look for errors
>>> in /var/log/messages or DS errors log?
>> I tried to setup the replica again just now so I have some fresh logs.
>>
>> From the Dirserv error log
>> [08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting up
>> [08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
>> under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
>> [08/Feb/2015:22:14:50 -0500] - slapd started. Listening on All Interfaces port
>> 389 for LDAP requests
>> [08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
>> requests
>> [08/Feb/2015:22:14:50 -0500] - Listening on
>> /var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
>> [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
>> agmt="cn=meToipa.cs.oberlin.edu" (ipa:389): Schema replication update failed:
>> Server is unwilling to perform
>> [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
>> replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
>> update session.
>> [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
>> replica "agmt="cn=meToipa.cs.oberlin.edu" (ipa:389)"
>>
>> To be fair and not duplicate efforts I have had the following error
>> [08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
>> less than db size 12115968B; We recommend to increase the
>> entry cache size nsslapd-cachememsize.
>>
>> To which I have asked another question "how do I change the entry cache size"
>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
>> I now get additional errors which I would guess are possibly related.
> IMO, they this should not be related (should not break replication). I do not
> see anything useful in the error log though. Did you also check
> /var/log/messages for the errors log I sent?
I Did some homework yesterday and noticed starting in fedora 20 the
/var/log/messages is no longer used the preferred method of checking
logs is to use the "journalctl" command.
The Journal actually has a few lined that reference slapd but I don't
see any obvious lines in red that say error. Here is what I have
Feb 09 10:40:15 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:15
-0500] - SSL alert: Configured NSS Ciphers
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:16 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:16
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:17 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:17
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:18 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:18
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
Feb 09 10:40:19 ipa.cs.oberlin.edu ns-slapd[1322]: [09/Feb/2015:10:40:19
-0500] SSL Initialization - SSL version range: min: TLS1.0, max: TLS1.2
Feb 09 10:40:22 ipa.cs.oberlin.edu systemd[1]: Configuration file
/usr/lib/systemd/system/auditd.service is marked world-inaccessible.
This has no effect as configuration data is accessibl
Feb 09 10:40:23 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:23
-0500] - SSL alert: Configured NSS Ciphers
Feb 09 10:40:23 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:23
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:23 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:23
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:24 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:24
-0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
Feb 09 10:40:25 ipa.cs.oberlin.edu ns-slapd[1389]: [09/Feb/2015:10:40:25
-0500] SSL Initialization - SSL version range: min: TLS1.0, max: TLS1.2
I also took a look at the ipareplica-install.log
and there was some odd stuff at the bottom. Is any of this relevant?
2015-02-09T15:42:44Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
368, in __setup_replica
r_bindpw=self.dm_password)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 965, in setup_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
2015-02-09T15:42:44Z DEBUG [error] RuntimeError: Failed to start
replication
2015-02-09T15:42:44Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 642, in run_script
return_value = main_function()
File "/sbin/ipa-replica-install", line 700, in main
ds = install_replica_ds(config)
File "/sbin/ipa-replica-install", line 195, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
355, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
368, in __setup_replica
r_bindpw=self.dm_password)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 965, in setup_replication
raise RuntimeError("Failed to start replication")
2015-02-09T15:42:44Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication
-Chris
More information about the Freeipa-users
mailing list